[Snort-devel] RE: [Snort-users] Encrypted sessions

Ju Kong Fui kongfui at ...987...
Wed Nov 28 17:29:49 EST 2001

Rather than building decryption module into snort, I suggest to build a host
based "snort", using the same signature as the existing network based
"snort". Both host based and network based "snort" can log to the same log
repository and then report it using ACID or any other reporting

-----Original Message-----
From: Erek Adams [mailto:erek at ...105...] 
Sent: Wednesday, November 28, 2001 2:57 PM
To: Abe L. Getchell
Cc: 'Ronneil Camara'; snort-users at lists.sourceforge.net;
snort-devel at lists.sourceforge.net
Subject: RE: [Snort-users] Encrypted sessions

On Wed, 28 Nov 2001, Abe L. Getchell wrote:


> What I would love to see is a crypto feature built into Snort much 
> like has been built into tcpdump (compiled using './configure 
> --with-crypto' and used at run-time using 'tcpdump -E <stuff>'), with 
> a little more flexibility (more algorithm options, better support for 
> the ESP RFC's, etc).  If the correct key or passphrase is known, it 
> could be provided to Snort at run-time, traffic could be decrypted on 
> the fly by a preprocessor, and the clear text data checked against the 
> rule set being used.

That would indeed be a kick ass pre/post processor to have!

> The one major drawback I see to this approach is the possibility of 
> processor saturation.  A Snort box in a high-traffic environment 
> already has it's hands full checking packets against the large number 
> of sigs common in networks such as these.  Chances are, it wouldn't 
> have many free proc cycles to perform such a processor intensive task 
> as decrypting data.  This feature would thus only be useful in a 
> low-traffic environment without introducing a packet loss problem.

Hrm...  This brings to mind something--Sun and IBM are both sporting Crypto
Accelerator cards.  Intel (and 3com?) now have a crypto chip built into some
ethernet cards...  With the benefit of those two bits of hardware, I wonder
how much saturation you would get?  If the key/algorithm is known, and can
have a decoder built for it, it should scream!  And no, I'm not a Crypto
Monkey, nor do I play one on T.V.  :)

Erek Adams

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-devel mailing list